
# 生成 ca 私钥
openssl genrsa -out rootCA.key 2048

# ca 自签根证书
openssl req -x509 -sha256 -new -nodes -key ./rootCA.key -days 36500 -out rootCA.crt -subj "/C=cn/ST=gd/L=sz/O=hw/OU=hc/CN=rootCA"


# 生成服务端证书私钥
openssl genrsa -out server.key 2048

# 生成证书申请（CSR）
openssl req -new -sha256 -key server.key \
    -subj "/C=cn/ST=gd/L=sz/O=hw/OU=hc/CN=localhost" \
    -extensions v3_req \
    -config <(cat /private/etc/ssl/openssl.cnf \
        <(printf "[req]\nreq_extensions = req_ext\n[req_ext]\nsubjectAltName=DNS:localhost,IP.1:127.0.0.1")) \
    -out SANserver.csr

# 签发证书
openssl ca -in SANserver.csr \
    -policy policy_anything \
    -cert  rootCA.crt \
    -keyfile rootCA.key \
    -batch \
    -extensions SAN \
    -config <(cat /etc/pki/tls/openssl.cnf \
        <(printf "[req]\nreq_extensions = req_ext\n[req_ext]\nsubjectAltName=DNS:localhost,IP.1:127.0.0.1")) \
    -out ./SANserver.crt

# 生成客户端证书
# 生成客户端证书私钥
openssl genrsa -out client.key 2048
# 生成证书申请（CSR）
openssl req -new -key client.key -out client.csr -subj "/C=cn/ST=gd/L=sz/O=hw/OU=hc/CN=client-test"
# 签发证书
openssl x509 -req -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -in client.csr -out client.crt -days 36500



